This week is a follow-up on a post of about a year ago about using the automatic account management mode of Windows LAPS. That time the post was all focused on the preview functionality that was available within Windows and that could be configured by using custom configuration profiles. This time it’s all about the general available functionality in Windows and Microsoft Intune. Windows LAPS can be used to help organizations with securing the built-in local administrator account that is available on each Windows device. The account management mode provides more flexibility on top of that, as it can be used for creating, configuring and managing a specific target account. That includes the ability to configure the target account, randomizing the account name, and configuring a specific prefix for the account name. All of those features are focused on even better protecting and managing local administrator accounts. This post will focus on easier managing the account management mode, by starting with a brief overview of the different account management modes and the corresponding configuration options. This post will end with the steps to configure the account management mode of Windows LAPS and the experience with that configuration.
Important: Account management modes are available in Windows 11, version 24H2 and later.
Managing account management mode for Windows LAPS
The account management modes for Windows LAPS are available in Windows 11 version 24H2 and later, and the integrated configuration capabilities are available in since Microsoft Intune service release 2503. With these updates, the IT administrator gets the ability to easily configure the account management mode for the specified target account. Before looking at the configuration options, let’s start with a brief summary of the available account management modes for Windows LAPS:
- Manual account management: The manual account management mode is the default mode. Within the manual account management mode, the IT administrator is responsible for all the configuration aspects of the targeted account.
- Automatic account management: The automatic account management mode is an optional mode. Within the automatic account management mode, Windows LAPS is responsible for all configuration aspects of the targeted account.
After being familiar with the available account management modes for Window LAPS, it’s important to understand the available configuration options. Those configurations are available within the LAPS CSP in Windows 11 version 24H2 and later. Within that CSP the following settings are available to configure everything around the account management mode:
- The setting Automatic Account Management Enabled (AutomaticAccountManagementEnabled) can be used to enable automatic account management.
- The setting Automatic Account Management Enable Account (AutomaticAccountManagementEnableAccount) can be used to enable the automatically managed account.
- The setting Automatic Account Management Name Or Prefix (AutomaticAccountManagementNameOrPrefix) can be used to configure the name or prefix of the managed local administrator account.
- The setting Automatic Account Management Randomize Name (AutomaticAccountManagementRandomizeName) can be used to configure that the account name uses a random numeric suffix each time the password is rotated.
- The setting Automatic Account Management Target (AutomaticAccountManagementTarget) can be used to configure the target account that is automatically managed.
Note: The Automatic Account Management Enabled setting is a requirement for configuring the other setting.
When the configuration options for the automatic account management of Windows LAPS are familiar, it’s time to look at the configuration options within in Microsoft Intune. The good thing is that those settings are now available as part of the Local admin password solution (Windows LAPS) profile, which is a part of the account protection configurations. The following eight steps walk through the configuration of that profile and focusses on the account managed mode configuration.
- Open Microsoft Intune admin center and navigate to Endpoint security > Account protection
- On the Endpoint security | Account protection page, click Create Policy
- On the Create a profile page, provide the following information and click Create
- Platform: Select Windows 10 and later as value
- Profile: Select Local admin password solution (Windows LAPS) as value
- On the Basics page, specify a valid name to distinguish the policy from other similar policies and click Next
- On the Configuration settings page, as shown below in Figure 1, provide at least the following information and click Next
- Automatic Account Management Enabled: Select The target account will be automatically managed to enable the automatic account management mode for the targeted account
- Automatic Account Management Enable Account: Select Target account will be disabled (Default) to disable the targeted managed account
- Automatic Account Management Randomize Name: Select The name of the target account will use a random numeric suffix to automatically randomize the account name after a password rotation
- Automatic Account Management Target: Select Manage a new custom administrator account (Default) to manage a custom administrator account instead of the default built-in local administrator account
- Automatic Account Management Name Or Prefix: Switch the slider to Configured and specify a custom prefix to configure a specific prefix that is used for the managed account
Note: The focus for this post is the account management configuration, but don’t forget to configure the basics (backup directory, password details, and post authentication behavior).
- On the Scope tags page, configure the required scope tags and click Next
- On the Assignments page, configure the required assignment by selecting the applicable group and click Next
- On the Create + Review page, review the configuration and click Create
Note: The applied configuration is stored in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\LAPS.
Experiencing automatic account management mode of Windows LAPS
After applying the account management mode configuration for Windows LAPS, it’s interesting to see what the behavior is on Windows 11 devices. The best place to first verify the applied configuration, is by looking at Event ID 10022 in the Microsoft-Windows-LAPS/Operational log in the Event Viewer. That event provides an overview of the applied configuration details. Now simply look at the Local Users and Groups in Computer Management and verify that the automatic managed account is available conform the specified configuration. Below in Figure 2 is a clear example. A custom admin account is targeted. That account is created with a randomized name (837091) with a specific prefix (PVDW) and is disabled.
Note: Every change to the managed account will be prevented. When the user tries to make changes to that account, the following message will be shown: “The account is controlled by external policy and cannot be modified“.
More information
For more information about Windows LAPS and the account management options, refer to the following docs.
- Windows LAPS architecture | Microsoft Learn
- Windows LAPS account management modes | Microsoft Learn
- Windows LAPS passwords and passphrases | Microsoft Learn
- LAPS CSP – Windows Client Management | Microsoft Learn
Discover more from All about Microsoft Intune
Subscribe to get the latest posts sent to your email.